CyberWire Daily: PHP Flaw Sparks Global Attack Wave

Published on March 10, 2025 by N2K Networks

Introduction

In the March 10, 2025 episode of CyberWire Daily, hosted by Dave Buettner and powered by N2K Networks, industry leaders delve into a series of critical cybersecurity incidents and developments shaping the global landscape. The episode provides an in-depth analysis of a recently exploited PHP vulnerability, emerging threats in microcontroller security, the evolving role of the Office of the National Cyber Director (ONCD), and significant ransomware attacks affecting various sectors. Additionally, the episode features an insightful interview with Errol Weiss, Chief Security Officer at the Health Information Sharing and Analysis Center (Health ISAC), who discusses the pressing need for private sector leadership in safeguarding critical infrastructure.

Key Cybersecurity News

1. PHP Vulnerability Exploited Globally

Timestamp: [02:00]

A critical PHP vulnerability has been actively exploited worldwide, allowing threat actors to execute remote code on Windows servers running Apache and PHP CGI with specific code page settings. The flaw, stemming from PHP's improper handling of Unicode best fit conversion, enables attackers to manipulate character sequences into PHP options. Disclosed publicly in June 2024, ransomware groups capitalized on this vulnerability within days of its revelation.

Notable Quote:

"Threat actors are actively exploiting a critical PHP vulnerability to execute remote code on Windows servers," — CyberWire Daily, [02:00]

Cisco reported targeted attacks on Japanese organizations across multiple sectors using Cobalt Strike-based tools for persistence and privilege escalation. Gray Noise further highlighted the global surge in exploitation attempts, particularly from IPs in the US, UK, Singapore, and India, with Germany and China accounting for over 43% of malicious activities. Users are urged to update their PHP versions immediately to mitigate these risks.

2. Undocumented Commands in ESP32 Microchip

Timestamp: [05:30]

Security researchers at Tarlogic Security uncovered undocumented commands in the ESP32 microcontroller, a prevalent component in over a billion Wi-Fi and Bluetooth-enabled devices. These hidden commands could enable attackers to spoof trusted devices, access unauthorized data, pivot to other devices, and establish long-term persistence. The vulnerability arises from 29 vendor-specific Bluetooth commands facilitating memory manipulation, MAC address spoofing, and packet injection.

Notable Quote:

"These hidden commands found by Tarlogic Security could allow attackers to spoof trusted devices and establish long-term persistence," — CyberWire Daily, [05:30]

Expressif, the manufacturer of ESP32, has not yet disclosed these commands publicly, raising concerns about whether these vulnerabilities were intentional or oversights. While remote exploitation remains a possibility, physical access poses a greater threat. Compromised ESP32 chips could become launchpads for persistent cyberattacks on IoT devices, mobile phones, and medical equipment.

3. Office of the National Cyber Director's Growing Influence

Timestamp: [08:15]

The Office of the National Cyber Director (ONCD) is anticipated to gain substantial authority under the second Trump administration. Sean Cairncross, a Trump loyalist lacking a cybersecurity background, is expected to helm the ONCD, bringing robust political connections that may enhance its oversight of cyber policy across the executive branch. Experts suggest that ONCD will play a pivotal role in guiding both offensive cyber initiatives and domestic defense strategies.

Notable Quote:

"ONCD may finally become the executive branch's primary cyber authority, a role it struggled to achieve under Biden's administration," — CyberWire Daily, [08:15]

The integration of ONCD with the National Security Council's (NSC) cyber team is projected to bolster cyber crisis management. Analysts predict that deregulation will feature prominently in ONCD's agenda, especially given the reduced cyber staffing at the NSC and the absence of a figure like Ann Neuberger.

4. Akira Ransomware Gang's Unconventional Attack

Timestamp: [10:45]

The Akira ransomware group has employed a novel attack vector by leveraging an unsecured Linux-based webcam to infiltrate and encrypt victim networks. After initial access through an exposed remote access solution, likely via stolen credentials or brute force attacks, Akira installed AnyDesk, exfiltrated data for double extortion, and utilized Remote Desktop Protocol (RDP) to propagate. When their Windows encryptor was blocked by Endpoint Detection and Response (EDR) systems, they pivoted to exploiting a vulnerable webcam, which lacked EDR protection, to access Windows SMB network shares and deploy their Linux encryptor successfully.

Notable Quote:

"This attack highlights the security risks of IoT devices, emphasizing the need for network segmentation and regular firmware updates," — CyberWire Daily, [10:45]

This incident underscores the imperative for robust security measures on IoT devices, including network segmentation, consistent firmware updates, and enhanced monitoring of non-traditional endpoints to prevent such exploitations.

5. Mission, Texas Declares State of Emergency After Cyberattack

Timestamp: [13:20]

The city of Mission, Texas, has declared a state of emergency following a cyberattack that compromised all city government data and rendered systems offline. Emergency services remain operational; however, police have reportedly lost access to state databases required for license and ID verifications. Mayor Nori Gonzalez Garza has appealed to Governor Greg Abbott to declare a statewide emergency to unlock disaster funds. This attack is part of a series of ransomware incidents in Texas affecting municipalities like Matagorda County, McKinney, Capell, and Richardson, disrupting hospitals, utilities, and local governments.

Notable Quote:

"The attack, which began on Feb. 28, is under law enforcement investigation," — CyberWire Daily, [13:20]

6. LastPass Breach Linked to Major Crypto Heists

Timestamp: [16:00]

Following the 2022 LastPass breach, US federal investigators have confirmed a $150 million cyber heist in January 2024 targeting Ripple Co-founder Chris Larson, executed using stolen LastPass master passwords. The FBI and Secret Service corroborate Krebson Security's findings that attackers exploited poorly secured vaults to steal cryptocurrency seed phrases stored in LastPass Secure Notes. Despite seizing $24 million of the stolen funds, global thefts persist, raising concerns over LastPass's inability to adequately warn users and enforce stronger security measures.

Notable Quote:

"These attacks could have been prevented, and new thefts show the threat remains active more than two years after the breach," — CyberWire Daily, [16:00]

7. Presto Industries Suffers Cyberattack

Timestamp: [18:50]

Presto Industries, renowned for its popular home appliances such as air fryers, reported a cyberattack disrupting its shipping, manufacturing, and back-office operations since March 1st. The Wisconsin-based company disclosed the breach in an SEC filing, indicating ongoing forensic analysis and cooperation with law enforcement. While the full impact on Presto's military contracting division remains unclear, the company has implemented temporary measures to maintain critical functions. No cybercriminal group has claimed responsibility for the attack thus far.

Notable Quote:

"The attack's impact on Presto's military contracting division is unclear," — CyberWire Daily, [18:50]

8. Switzerland Enhances Cyberattack Reporting Requirements

Timestamp: [20:30]

Effective April 1, Switzerland mandates that critical infrastructure operators—including energy, water, transport, and government entities—report cyberattacks to the National CyberSecurity Center within 24 hours. For attacks disrupting operations, leaking data, or involving blackmail, reports are required within 14 days, with penalties for non-compliance. This regulation forms part of an amendment to the Information Security Act, with a grace period extending until October 1. Similar reporting laws are already in place in regions such as the US, UK, EU, and Australia.

Notable Quote:

"These regulations are part of a global trend towards more stringent cyberattack reporting standards," — CyberWire Daily, [20:30]

In-Depth Interview: Errol Weiss on Critical Infrastructure Cybersecurity

Guest: Errol Weiss, Chief Security Officer at Health ISAC
Timestamp: [14:42] to [27:42]

The Imperative of Private Sector Leadership

Errol Weiss begins by reflecting on a pivotal moment from 2011, inspired by New York Police Department Commissioner Ray Kelly's assertion that reliance on the federal government for security is insufficient. This philosophy underscores the foundational belief within the ISAC community that the private sector must take the lead in protecting critical infrastructure.

Notable Quote:

"We cannot rely on the federal government," — Errol Weiss, [14:42]

Historical Context and Evolution of ISACs

Weiss traces the origins of Information Sharing and Analysis Centers (ISACs) back to the mid-1990s, coinciding with the burgeoning internet and e-commerce sectors. The 1997 Presidential Commission on Critical Infrastructure Protection and the subsequent 1998 Presidential Decision Directive 63 established the framework for ISACs, promoting information sharing among private sector entities to bolster collective cybersecurity defenses.

Notable Quote:

"ISACs encourage each critical infrastructure sector to share information and collaborate on new threats," — Errol Weiss, [16:47]

Measuring Success Within Health ISAC

Success for Health ISAC is assessed through metrics such as the volume of shared indicators, member engagement levels, and the overall growth of the organization. While tangible metrics like prevented breaches are challenging to quantify, Weiss emphasizes the invaluable non-tangible benefits, including enhanced threat awareness and professional development for members.

Notable Quote:

"It's hard to put a number on it, but I think they understand there's value," — Errol Weiss, [20:16]

Future Aspirations and Global Collaboration

Looking ahead, Weiss envisions a more integrated global approach to information sharing, transcending national borders to address the inherently borderless nature of cyber threats. Health ISAC, with members in 140 countries, aims to facilitate seamless international collaboration, enabling rapid dissemination of threat intelligence across diverse regions.

Notable Quote:

"If we're able to encourage country ISACs to connect smoothly, it would better serve their members," — Errol Weiss, [21:51]

Navigating Partnerships with the Federal Government

Weiss highlights the challenges posed by political shifts and reduced federal participation in ISAC activities. Despite close collaborations with agencies like Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA), current administrative changes have led to diminished interaction. Nevertheless, ISACs remain committed to maintaining their role as apolitical, private sector-driven entities, ensuring continuity in information sharing and cybersecurity efforts.

Notable Quote:

"ISACs were established as apolitical trusted resources, independent of federal administration changes," — Errol Weiss, [25:01]

Concerns Over International Trust and Cooperation

Weiss expresses apprehension regarding the potential erosion of international trust in U.S.-led information sharing initiatives amidst current administrative dynamics. He underscores the importance of sustaining global partnerships to enhance collective cybersecurity resilience, advocating for continued collaboration despite geopolitical tensions.

Notable Quote:

"Foreign nations may be less inclined to participate in ISACs due to a lack of trust," — Errol Weiss, [26:31]

Conclusion

The March 10 episode of CyberWire Daily underscores the escalating cyber threats emanating from exploited vulnerabilities in widely used technologies like PHP and ESP32 microcontrollers. The nuanced discussion on the ONCD's expanding role and the innovative tactics of ransomware groups like Akira highlight the dynamic nature of cyber warfare. Furthermore, the interview with Errol Weiss illuminates the critical role of private sector collaboration in fortifying global cybersecurity defenses. As cyber threats continue to evolve, the imperative for comprehensive information sharing, proactive vulnerability management, and resilient infrastructure becomes increasingly paramount.

Listeners are encouraged to stay informed and proactive in their cybersecurity measures, leveraging insights from industry leaders to navigate the complex and ever-changing digital threat landscape.

For more detailed analysis and updates, subscribe to CyberWire Daily through your preferred podcast platform.